Monitoring AWS account user activity can help you and your organization to meet security and compliance requirements and enable you to respond fast to any unauthorized access sessions or potential security breaches. Cloud Conformity can detect in real time any successful and unsuccessful AWS Management Console sign-in events triggered by IAM and federated users. An IAM user is an identity created for your Amazon Web Services account that has specific custom permissions (for example, permissions to manage RDS database instances within a particular region). You can use an IAM user name and password to sign in to your AWS Management Console in order to access all your provisioned resources - when the user has admin-level privileges, or to access a certain service or resource - when the user has a specific set of permissions that follows the principle of least privilege. A federated user is an entity managed externally that can be authorized to access AWS service APIs and AWS resources. For example, you can authorize a federated user to call AWS CloudFormation APIs as an alternative to creating IAM users to use CloudFormation. The Cloud Conformity RTMA engine integrates with Amazon CloudTrail service which records the attempts to sign in to the AWS Management Console. All AWS IAM user sign-in attempts (successes and failures), all federated user sign-in events (successes and failures) and all successful AWS root account sign-in attempts (root sign-in failures are not detected) generate records in CloudTrail log files. The RTMA engine scans the CloudTrail log files for entries associated with these sign-in events, including the IP address of the entity signing in and whether MFA was enforced for that sign-in, then sends notifications to the recipients defined in the Cloud Conformity account settings. The communication channels for sending these notifications can be easily configured within Cloud Conformity account. The list of supported communication channels that you can use to receive AWS IAM sign-in event alerts are SMS, Email, Slack, PagerDuty, ServiceNow and Zendesk.
This rule can help you with the following compliance standards:
This rule can help you work with the AWS Well-Architected Framework
This rule resolution is part of the Cloud Conformity Real-Time Threat Monitoring
Monitoring IAM access in real-time is essential for keeping your Amazon Web Services account secure. When an IAM user or a federated user is used by an inexperienced person within your organization, his actions can lead to severe security issues, data leaks, data loss or even unexpected charges on your AWS bill – that's why is important to know who is signing in to our AWS account. Once enabled, Cloud Conformity RTMA starts monitoring IAM sign-in events in order to help you gain visibility into your account user activity and sends notifications whenever AWS Management Console sign-in events are produced. Besides granting your IAM and federated users the minimum amount of privileges necessary to perform their assigned tasks, Cloud Conformity recommends using this RTMA feature to monitor 24/7 your AWS account user activity.